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(57) ABSTRACT 

A request for an access code for a locking mechanism is 
received; and a one-time use access code for the locking 
mechanism is subsequently issued. The one-time use access 
code may be issued from a list of currently available access 
codes for the locking mechanism in response to a request 
therefor, for example by a merchant or delivery service. 
Such a code may be issued by a server, which server is 
further responsible for updating the list of available access 
codes in response to an indication that a code has been used 
or has otherwise expired. The list of currently available 
access codes is preferably a subset of all access codes for the 
locking mechanism, which codes may be generated using a 
cryptographically strong random number generator. 
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LOCKING MECHANISM FOR USE WITH 
ONE-TIME ACCESS CODE 

RELATED APPUCARON 

This application is related to and hereby claims the 
priority benefit of a Provisional Apphcalion entitled "A 
System for Secure Unattended Delivery and Pickup of 
Goods", application Sen No. 60/154,294, filed Sep. 16, 
1999, by the present inventors. 

HELD OF THE INVENTION 

The present invention relates to a scheme for providing 
one-time use access codes for a lock mechanism as may be 
employed with secured doors to and/or from buildings, 
secured access points and/or containers, etc., including 
secure storage devices for the delivery and pickup of goods 
and/or other applications/appliances/mechanisms that 
require security. 

BACKGROUND 

U.S. Pat, No. 5,774,053, which is hereby incorporated by 
reference, describes a storage device for the delivery and 
pickup of goods. As recognized in that disclosure, home 
delivery of goods has become more and more popular with 
the rise of shopping over the Internet, by catalog, and .so on. 
In addition to clothing, appHances, furniture, books and 
other materials previously available from catalogs and the 
like, the Internet has spawned e -shopping services for gro- 
ceries and other items. Similarly, in many areas local mer- 
chants such as dry cleaners offer residential pickup and 
delivery services for their customers. 

The storage device described in U.S. Pat. No. 5,774,053 
provided a means for such home pickups and deliveries even 
when the homeowner was absent. Briefly, the storage device 
provided a secure environment for the goods and included a 
communication apparatus for providing notification that the 
goods had been picked up or delivered. Access to the storage 
device was gained by entering a so-called vendor code into 
a controller via a keypad. The controller oversees locking/ 
unlocking of the storage device. Entering a valid vendor 
code unlocks the storage device, allowing couriers and/or 
others to pickup and/or dehver goods from/to the storage 
device. 

One shortcoming with the storage device described by 
U.S. Pat. No. 5,774,053 concerns the use of the vendor 
codes. As contemplated, the vendor codes are static, reus- 
able codes assigned to each vendor that dehvers and/or picks 
up goods to/from the storage device. "For example, a 
laundry and drycleaning (sic) business may be assigned a 
vendor code of 333, whereas a local grocery store may be 
assigned a vendor code of 444." U.S. Pal. No. 5,774,053 at 
col. 5, 11. 39-45. The use of such vendor codes presents a 
security risk in that once an unauthorized person learns one 
of the codes, that individual has access to the storage device 
until such time as the code is removed from the list of 
authorized vendor codes stored in the controller's memory. 
This presents a problem inasmuch as several days or weeks 
may pass before a storage box owners learns that one or 
more of the vendor codes has been compromised and has 
time to reprogram the controller with new vendor codes. 
During this time, the security of the storage box is ques- 
tionable at best. Moreover, the assigning, canceling and 
reassigning of the vendor codes requires what could be a 
significant amount of time and effort (key management) on 
the part of a storage device owner/end-user. Also, the 
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vendors are required to keep track of codes for different 
customers and, presumably, must take steps to ensure that 
the security of these codes are maintained. 

5 SUMMARY OF THE INVENTION 

Described herein is a scheme for providing locking 
mechanisms (that may be used in a variety of apphcations) 
for use with one-time access codes, 'llie present scheme 
avoids the drawbacks of the system described above, for 
example by providing a third-party service that handles key 
management. The third-party service may issue access codes 
to vendors, etc., for one-time use and thereby free the 
storage device owners from having to perform and manage 
this task. Also, because the access codes are intended for 
one-time use only, vendors and others are freed from the 
responsibihty of maintaining the security of a number of 
keys for different customers for indefinite periods. Keys (or 
access codes) may be distributed to the locking mechanism 
in a variety of ways (including via a RF network and/or at 
the time of manufacture). 

In one embodiment, a request for an access code for a 
locking mechanism is received; and a one-time use access 
code for the locking mechanism is subsequently issued. '^The 

25 one-time use access code may be issued from a list of 
currently available access codes for the locking mechanism 
in response to a request therefor, for example by a merchant 
or delivery service. Such a code may be issued by a server, 
which server is further responsible for updating the list of 
available access codes in response to an indication that a 
code has been issued, used or has otherwise expired. The list 
of currently available access codes is preferably a subset of 
all access codes for the locking mechanism, which codes 
may be generated using a cryptographically strong random 

35 number generator. Such a loclcing mechanism may be used 
with a storage device, a door or gate, or any appliance or 
other mechanism or may find application in a variety of 
security systems. 

In a further embodiment, a storage device that includes an 

40 enclosure adapted to allow for the storage of goods and 
having a door fitted with a locking mechanism; and a locking 
mechanism controller coupled to the locking mechanism and 
adapted to unlock the locking mechanism upon receipt of an 
entry code, said entry code expiring within a first predeter- 

45 mined time interval of its first use to unlock the locking 
mechanism (which may include some time after the locking 
mechanism has been re-locked), is provided. The entry code 
may expire within a second predetermined time interval (or, 
in other cases, a time window that varies, e.g., according to 

50 past usage of the locking mechanism) regardless of whether 
it is used to unlock the locking mechanism or not. The 
locking mechanism controller preferably includes a micro- 
controller configured to operate an actuator in response to 
receiving the entry code and may be adapted to receive the 

55 entry code via at least one of a keypad, a bar code scanner, 
a magnetic stripe reader, a wireless (e.g., RF or IR receiver) 
or a smart card reader. In some cases, the locking mechanism 
controller may be configured to communicate with a server 
(e.g., via at least one of the Internet, a wireless network or 

50 the public switched telephone network) configured to pro- 
vide the entry code. 

In a further embodiment, a computer-based service con- 
figured to dispense one-time use access codes for remotely 
located locking devices in response to requests therefor is 

65 provided. Transaction fees may be assessed for each access 
code dispensed and the access codes may be so dispensed 
from a server accessible through at least one of the Internet, 
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a wireless network or the public switched telephone net- 
work. Preferably, each access code so dispensed expires 
upon the earlier occurrence of (i) its use to access an 
associated one of the storage devices, or (ii) a predetermined 
time period. 

These and other features and advantages of the present 
invention are discussed in detail below. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention is illustrated by way of example, 
and not limitation, in the figures of the accompanying 
drawings in which like reference numerals refer to similar 
elements and in which: 

FIG. 1 illustrates an example of a storage device config- 
ured in accordance with an embodiment of the present 
invention; 

FIG. 2 illustrates top, front and side views of the storage 
device shown in FIG. 1; 

FIG. 3 illustrates a computer network configured to accept 
requests for and issue access codes for storage devices 
similar to that shown in FIG. 1; 

FIG. 4 illustrates an example of an access code table that 
may be maintained within a server and/or a storage device 
in accordance with an embodiment of the present invention; 

FIG. 5 illustrates a more detailed view of a server suitable 
for use with the network shown in FIG. 3; 

FIG. 6 illustrates an example of a locking mechanism 
controller for the storage device shown in FIG. 1; and 

FIG, 7 illustrates an example of the use of a local interface 
unit as a relay station for messages passed between a remote 
access code control unit and a server. 

DETAILED DESCRIPTION 

A locking mechanism adapted for use with one-time use 
access codes (and schemes for requesting/delivering such 
codes) as well as their use with various storage devices arc 
described below. Although discussed with reference to cer- 
tain illustrated embodiments, upon review of this 
specification, those of ordinary skiU in the art will recognize 
that the present invention may find application in a variety 
of systems. Therefore, in the following description the 
illustrated embodiments should be regarded as exemplary 
only and should not be deemed to be limiting in scope. 

In one embodiment, the present system allows for the 
secure delivery and/or pickup of goods, thereby increasing 
the efficiency of courier personnel by providing means for 
unattended pickup/delivery. In addition, means for verifying 
such delivery/pickup are incorporated within the system. 
One embodiment of the present system is composed of 
storage devices (adapted to be placed at locations where 
pickup/delivery services are desired, e.g., residences, oHice 
buildings, condominium and/or apartment developmenLs, 
etc.), one or more computer servers, communications 
devices, human interface components and software. Fea- 
tures of the system include package tracking, electronic 
signatures, payment transfer, delivery scheduling, unat- 
tended transfer/storage of parcels and event notification to 
multiple parties. In addition, the present system allows for 
confirmation of deliveries/access to the storage device as 
well as confirmation of acceptance of the items delivered. As 
will be more fully described below, a unique one-time access 
code to allow access to a locking mechanism associated with 
a storage device is issued by a server for each access, pickup 
or delivery, thus reducing opportunities for theft and/or 
tampering and providing for the tracking of each access. 
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The present scheme also allows for goods and other 
materials to be picked up and delivered in a secure, traceable 
fashion. Physical security is provided in part by securing the 
storage device at the customer premises. This can be accom- 

5 plished by fixing the storage device to the site with bolts or 
other fastening devices passed through reinforced points 
inside the body of the storage device and attaching same to 
a wall or floor. Alternatively or in addition, a water bladder/ 
lank inside the storage device may be filled to add weight 
(and thus discourage unauthorized persons from attempting 
to move the storage device) and also acts to stabilize the 
temperature inside the storage device during the course of 
the day. The tank walls may be positioned several inches 
from the exterior of the storage device, thus preventing 

J 5 draining of the tank by puncturing the exterior of the storage 
device. In addition, a cable or chain may be used to secure 
the storage device at the site via an attachment point. 

An example of such a storage device fitted with a locking 
mechanism configured in accordance with the present inven- 

20 tion is illustrated in FIG. 1. Storage device 10 has a generally 
rectangular base and is of a size sufScient to hold the type 
of goods that can be expected to be delivered. For example, 
storage device 10 may be of suflBcient size to receive a 
delivery from a grocery store and/or other goods and/or the 

25 maximum or expected size of common courier deliveries. In 
the example shown in the figure, storage device 10 has a 
sloping lid 12 that extends from the rear of the storage 
device to the front thereof and which is hinged so as to open 
upwards and to the rear, but other embodiments of storage 

30 device 10 may be fitted with a door that opens to the side, 
front, bottom or top. A handle 14 is provided for user 
convenience in opening the lid 12, but other opening mecha- 
nisms (e.g., knobs, recessed handholds, etc.) may also be 
used. The physical design/size of storage device 10 is not 

35 critical to the present invention. 

As shown, storage device 10 is configured with a locking 
mechanism that may be activated/deactivated via an access 
code entry unit 16. In one embodiment, access code entry 
unit 16 includes a keypad and display (useful for displaying 

40 messages such as the time and/or date of the last access 
and/or the identity of the person making such access based 
on the code used, etc.), and is configured to accept user input 
in the form of keystrokes and to provide user feedback and 
other human interface elements via a liquid crystal or other 

45 display. In other embodiments, the access code entry unit 
may operate in conjunction with an infrared transmitter 
(similar to an automobile keyless entry system), a barcode 
scanner and/or a magnetic stripe or electronic card reader. 
The infrared transmitter may be used by the owner of the 

50 storage device 10 to gain entry to the storage device without 
the need to manually enter an access code. In such cases, the 
infrared transmitter may be configured to emit a coded 
message upon activation, which message serves to authen- 
ticate the user and cause the access code entry unit (fitted 

55 with a corresponding infrared receiver) to unlock the locking 
mechanism. Similarly, a card with a magnetic stripe (coded 
with the user*s access code) may be used to open the storage 
device 10, where the access code entry unit 16 is fitted with 
a magnetic stripe reader. An electronic card (e.g., fitted with 

60 a smart chip or other means of transmitting an access code) 
may also be used in place of or in addition to these other 
access means. Indeed, any or all of these access means may 
be employed in combination. 

- One other access means concerns the use of bar code 
65 scanners. A bar code is a combination of black and white 
lines that contains character information, llie character 
information in bar codes may be read with specialized 
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reading devices and subsequently passed on to a computer or power (e.g., internal battery) failure, the storage device 

other device (e.g., cash registers and other appliances). remain locked, until an external battery is applied to the 

Various types of reading devices are used to obtain the data battery clip 24 and the proper access code entered. Although 

represented in bar codes, depending upon the application. this may cause one or more delivery attempts to fail, it is 

One type of reading device that is used is a scanner. Scanners 5 deemed to be preferable to a situation where the storage 
are generally equipped with laser diodes and a system of device fails over to an unlocked state. The same electronics 

mirrors and lenses to scan the bar code and capture the bay 22 may include electronic circuitry and/or power 

reflection thereof. Other bar code reading devices that oper- sources for the inner storage compartment 20, or such 

ate on similar principles include gun readers, hght pens, electronics and/or power sources may be separate, 

cameras, etc. 10 embodiment, the interior of storage device 10 

In one embodiment, a specially configured bar code includes a bar code unit 26 (shown in the side view only for 

scanner (or other bar code reader) is adapted to modulate the clarity). The bar code unit 26 (which in some case may 

laser beam produced by its laser diode, so as to transmit an simply be a label glued or otherwise applied to the interior 

access code. A bar code entry unit is positioned on storage of the storage device 10 or in other cases may be a more 

devicelO(e.g.,inplaceof or in addition to access code entry 15 durable bar code unit supported by a holder) provides a 

unit 16) and is configured to pass the access code informa- serial number or other identifying criteria for the storage unit 

tion included in the modulated laser beam to a computer/ 10. Thus, when delivery personnel that require some form of 

controller unit of the access code entry unit. In this way, signature for dropping off a dehvery leave a package in 

access code information may be passed to the storage unit at storage device 10, the bar code embossed on the bar code 

the same time as bar code information (e.g., a serial number 20 ^6 can be read (e.g., using a conventional bar code 

or the like) is read therefrom. scanner or other reader device) as a form of "digital signa- 

HG. 2 illustrates front, side and top views of the storage 1"^^"- some cases, the signature information may later be 
device 10, with certain features thereof not illustrated so as downloaded fi-om the delivery service to the access code 
not to unnecessarily obscure other features of interest in the service provider (as described below) to confirm delivery 
following discussion. Shown in broken line outline is the 25 acknowledge use of the access code, 
tank 18, which is located at the bottom of the interior portion FIG. 3 illustrates an embodiment of the present invention 
of storage device 10 and which can be filled with water, sand wherein a server (accessible through a number of means) is 
or other material or fluid as described above. Also shown in responsible for providing delivery personnel, merchants, 
broken line outline is an inner security compartment 20, customers and others with access codes for storage devices 
which is located inside and secured to storage device 10. The 30 10. Server 30 may be operated by a service provider that 
inner security compartment 20 provides a secure "box licenses, sells, leases, or otherwise provides locking devices 
within a box", and may be opened using a separate access 28 (e.g., for use with storage devices 10 or for other 
control mechanism which opens storage device 10. For apphcations) to users thereof. As shown, locking devices 28 
example, inner security compartment 20 may be fitted with may be configured in a variety of ways: as stand-alone 
a conventional key lock, a pad lock, combination lock or an 35 devices, or as connected devices, which communicate with 
electronic locking mechanism that relies on access codes server 30 via telephone interfaces 32, wireless (RF) inter- 
similar to that described below. Inner security compartment faces 34 and/or network interfaces 36, The network inter- 
20 provides a storage space for highly confidential and/or faces 36 may be dedicated or dial up interfaces/connections 
valuable materials (such as cash, jewehy, cameras, etc.). that utilize a public computer network (such as the Internet 
Owners of storage device 10 may use inner security com- 40 38) or a private computer network (such as a wide area 
partment 20 as a secure holding place for cash or other network or virtual private network that tunnels within a 
payments for COD delivery items and/or to receive delivery pubhc network). The RF interfaces may support communi- 
ofvaluable materials which others should not have access to. cation within a public (e.g., cellular) or private wireless 
Forexample, if the owner is expecting multiple deliveries on network 40. Telephone interfaces 32 may be adapted to 
the same day, one of which requires a COD payment, the 45 provide communication with server 30 through the public 
owner may leave the payment funds locked within the inner switched telephone network (PSTN) 42 (e.g., via dial-up 
security compartment 20 and provide the means for gaining modem connection or Internet connection via Digital Sub- 
entry to that inner security compartment (e.g., the lock scriber Line, cable/wireless modem, etc.). Corresponding 
combination or electronic access code, etc.) only to the interfaces are provided at server 30 to allow for 
delivery person expected to make the COD delivery. Other 50 bidirectional, fuU-duplex and/or half-<luplex communication 
delivery persons wiU not have access to the inner security with the locking devices 28. 

compartment 20, because the access code for storage device Server 30 may also be accessed by various merchants 42, 

10 will not operate the locking mechanism for the inner couriers/delivery services 44 and/or customer 46 through the 

security compartment. In this way, the owner can ensure that Internet 38 or other means. For example, in some cases, one 

only the desired delivery person (or other courier, neighbor, 55 or more merchants 42 and/or couriers/dehvery services 44 

etc.) can have access to the contents of the inner security may maintain dedicated connections with server 30 through 

compartment 20. one or more dedicated interfaces 48. Thus, delivery services 

Storage device 10 also includes an electronic component that experience a significant amount of interaction with 

bay 22, which may house the various electronic components owners of the storage boxes 10 may utilize such dedicated 

of the locking mechanism described below. The power 60 connections to request and receive access codes for locking 

source (e.g., battery) for these components may also be devices 28 associated therewith, without having to establish 

located herein, and/or an external battery clip 24 may be individual connections through the Internet 38 for each 

provided. Preferably, the external battery clip 24 is only used transaction. 

to connect an external battery when the primary power As alluded to above, one of the functions of server 30 is 

source for storage device 10 has failed. In such situations, it 65 to provide access codes for the locking devices 28. In 

is desirable that the power failure mode of the locking operation, owners (and herein the term owners is meant to 

mechanism is the locked state. That way, in the event of a encompass lessees, owners and others who have a locking 
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device 28) of locking devices 28 will be able to instruct a until the previously issued access code has been used. An 

delivery service, merchant, courier or other person or entity indication of such use may be provided by communication 

that any deliveries/pick ups for the owner should be made between the locking device 28 and the server 30 (e.g., using 

to/from the owner's storage device 10 that is configured with one of the communication links discussed above) and/or by 

a locking device 28. For example, when shopping through 5 an indication from the delivery service/merchant/courier 

an Internet based merchant, when it comes time for the that the delivery/pick up has been completed. Also, the 

owner to indicate his/her delivery address, he/she may locking device owner may be responsible for providing an 

indicate the serial number or physical address (which need update to the server 30 indicating that a delivery or pick up 

not necessarily be the owner's home address) of the storage was completed. 

box 10. By identifying the existence of the storage box in jq The sequential use of access codes in the manner dis- 

some way, the owner is prompting the merchant (or delivery cussed above provides very precise control over the access 

service used by the merchant, etc.) to request an access code codes in as much as only one code is outstanding at any one 

from server 30. The retrieval of such an access code may be time. However, it may be inconvenient inasmuch as a 

completed as part of the checkout process from the Internet- storage device owner may wish to receive several deliveries 

based store, or it may be performed as a post-transaction and/or schedule pick-ups that overlap with one another. To 

function when the merchant behind the store processes the accommodate such situations, in another embodiment a 

transaction. In other cases, when the storage box owner is number of access codes within a certain window of size 

expecting a delivery from a local merchant (e.g., a dry M«P may be issued, where the window need not neces- 

cleaning service or grocery delivery service, etc), he/she sarily include consecutive access codes. ITiat is, to accom- 

may instruct the local merchant to request an access code 20 modale the need to issue multiple access codes within any 

from server 30 in order to deliver the goods to the storage given time frame, a window of size M is established. As 

box 10. requests for access codes are received, those access codes 

Regardless of how the delivery service/merchant is within window M are issued (e.g., sequentially, in round 
advised to request an access code, that delivery service/ robin fashion, or in another fashion). As the access codes 
merchant may access server 30 (either via the Internet 38 or 25 issued are used and the server 30 is subsc- 
through a dedicated connection, etc.) and request an access quently notified of such use, the window sHdes or is other- 
code by providing some identifying information about the wise moved so as to indicate that the used code(s) has/have 
subject locking device (and/or associated storage device, expired and to include new access codes. In other 
e.g., a serial number, owner's name and/or address, etc.). embodiments, the server 30 need not be notified of the 
Recall that the access codes are meant to be one-time codes. 30 access code use, rather such window movement may be 
That is, the codes are good for only one access to the locking based on time intervals, etc. In this way, the problem of 
device 28. Thus, every access code issued by server 30 for overlapping deliveries/pick ups is rendered moot, 
a particular locking device 28, will be unique to the The size of the window may be configured by the storage 
requester. That requester, and only that requester, will know box owner to accommodate his/her expected delivery/pick 
the access code, and that access code will expire after it is 35 up frequency and can be altered at any time to account for 
used to open the subject locking device 28 (with reuse especially busy times (such as near the holidays or prior to 
possible within a certain, short time interval in some cases). a special occasion when multiple deliveries can be 
Therefore, not only does this minimize the risk of unautho- expected). Alternatively, or in addition, the window size may 
rized access using an access code (because even if the once be adjusted automatically based on use of the locking 
valid code were to be compromised it cannot be reused), it 40 device. It is important, however, that the window sizes at the 
also allows tracking of which individuals/entities had valid locking device 28 and server 30 be synchronized so that 
access codes at a particular point in time. valid access codes are not rejected. So long as P is large 

The one-time access codes may be provided through the enough, there should be sufficient time between reuse of any 

use of code books that are personalized for each locking access codes so as to minimize the risk of compromise, 

device. For example, at the time each locking device (or its 45 Alternatively, once all the available access codes have been 

access code entry unit) is manufactured, a number of access used, the locking device 28 may be reinitialized with a new 

codes may be stored in memory in a particular sequence. For set of access codes or the codes may simply be recycled 

example, the access codes may be stored in a table, similar (perhaps not in their original order of issue), 

to that shown in FIG. 4. Each access code may be N-digits To account for situations where some codes are never 

long (e.g., 4—10 digits and in one embodiment 5-7 digits) 50 used (e.g., cancelled deliveries and/or pickups), server 30 

and up to P (e.g., 1024-2048 or more) such access codes and locking device 28 can be configured to automatically 

may be stored in a table 50 resident in memory (see below cancel a particular access code after it has existed for some 

for a more detailed discussion of the access controller). period of time (e.g., a few days or weeks or even just hours 

These codes may be generated by a cryptographically strong if so desired) within the window of valid codes. This use of 

random (e.g., pseudo- random) number (using a unique seed 55 a "time to live" for each access code prevents the window 

number for each individual locking device) generator at the from becoming clogged with out-of-date codes that will 

time of manufacture and a replica of the access code table 50 never be used. 

for each locking device may be maintained at server 30 (e.g.. In still another embodiment, rather than having a table of 
as part of a customer database and/or a key database). Each available access codes, each locking device may be config- 
time a delivery service, merchant and/or other person/entity 60 ured with a cryptographically strong random number gen- 
requests an access code for a particular locking device, an erator as part of its access code entry unit. The numbers 
unused code from the table for that locking device is selected produced by the random number generator (with each new 
and provided to the requester (preferably only after authen- number so produced being used as a new seed number) may 
ticating the identity of the requestor through the use of a then be used as the access codes for that locking device. In 
previously assigned pass-code or the like). 65 such cases, server 30 would be configured with a similar 
In one embodiment, access codes for a locking device 28 random number generator and some knowledge of what a 
are issued sequentially, and a new access code is not issued particular locking device's original seed number was. By 
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knowing the seed number and the number of times the 
locking device has been accessed (e.g., the number of access 
codes given out), the server can predict what the next 
random number in the sequence produced by the random 
number generator at the locking device will be. This number 
can then be issued as the next access code for a requestor. 
Note that this scheme may present some of the problems 
discussed above for the overlapping delivery /pick up 
scenario, but may be suitable where the chance of such 
occurrences is small. To avoid such problems altogether (or 
at least to a greater degree), several (i.e., a window's worth) 
of access codes may be generated at a time and issued as 
needed. Of course, the corresponding access code entry unit 
would need to do the same so that codes within the window 
would be recognized. 

Yet another way of distributing access codes is to use the 
server 30 to "push" such codes to the locking device 28. For 
example, a delivery service may already use unique tracking 
or other numbers for packages that are being delivered. Such 
tracking or other numbers could serve as access codes for the 
locking device where the delivery service notifies the server 
30 of the tracking number and then server 30 transmits the 
tracking number to the locking device using one of the 
communication paths discussed above. The locking device 
28 (or its associated access unit) may then store the tracking 
number in memory and allow its one-time use as a valid 
access code. Of course, such a scheme need not be limited 
to tracking numbers and any user-supplied access code 
could be used. Note that security precautions (such as 
password challenges, etc.) may need to be taken to ensure 
that such access codes are being provided by trusted sources. 
In this way, even user/owner PIN numbers could be 
uploaded to the locking devices. 

Also, locking device owners may be able to notify server 
30 of a valid access code be having the locking device itself 
upload the code to the server 30 through one of the above 
communication paths. The owner may set the code using the 
keypad or other interface associated with the access control 
unit and this code may then be supplied to server 30, Thus, 
the user may be able to provide an access code for an 
individual that does not have access to server 30. The idea 
of notifying server 30 of the user-specified code is to ensure 
that such code is not then reissued any time soon, so as to 
maintain the security of the locking device. 

To this point, the use of server 30 as a means for 
requesting/delivering access codes has been discussed. 
Server 30 is also capable of operating as a central point of 
information dispersal. For example, storage device owners 
may be able to notify merchants and/or couriers that items 
are available for pick up through the use of server 30. By 
accessing server 30 (e.g., through the Internet or even by 
simply pressing a button or other notification mechanism at 
the storage device/access code entry unit), the owner may be 
able to complete a Web form (or send another notification 
message) that requests pick up of a specified item or items 
at a certain date/time and upon submission of that Web form 
server 30 may transmit an electronic mail (e-mail) message 
to the designated courier/merchant along with the necessary 
access codes. 

The role of server 30 as an information aggregator is more 
fully discussed with reference to FIG. 5 (of course this is 
merely one example of a server architecture and many other 
variants thereof may be used). As shown, server 30 is 
configured with one or more databases, for example a 
customer database 54 and/or a merchant/courier database 
56. An interface block 58 provides the interfaces for server 
30 to the Internet 38 (e.g., via a Web server 60 and/or an 
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e-mail engine 62), an RF network (e.g., a cellular or packet 
radio network) 40 and/or the PSTN 42. Direct connections 
64 with merchants/couriers may also be accommodated 
through interface block 58. 

5 A transaction monitor 66 is responsible for keeping track 
of incoming access code requests, verifying requesters (e.g., 
by comparing offered pass-codes with those stored in the 
customer and/or merchant courier databases), issuing access 
codes, receiving reports of used access codes and updating 

jQ access code table information. The access code tables 
(where used) may be stored as part of customer database 54 
and accessed through a key server 68 which is responsible 
for receiving and acknowledging access code requests (with 
or without the assistance of the transaction monitor 66). A 

J 5 fiizzy address matching block (e.g., algorithm) 70 may be 
provided to accommodate misspellings or other typographi- 
cal errors when access code requests, etc. are made. For 
example, where an address is entered that has no corre- 
sponding match in the customer database 54, the fuzzy 

2Q address matching block 70 may be configured to run alter- 
nate queries with shghtly different spellings of the submitted 
address to see if any matches are found. If such matches are 
found, server 30 may respond with a question such as "Did 
you mean . . . ?" In this way, merchants and other seeking 

25 access codes for their clients' storage devices will not be 
turned away blindly, perhaps causing missed deliveries or 
general customer dissatisfaction with the service. 

A customer service interface and application block 72 
may be provided to allow new customers to sign up and 

30 request delivery of locking devices and/or update their 
address information, etc. This also provides a data entry 
interface for various merchants/couriers, etc. that want to 
enter/update their information in the relevant databases. 
Further, this may include applications that allow for remote 

35 programming of the access code entry unit and/or locking 
device so that keypad features thereof may be updated/ 
modified. 

Another component associated with server 30 is the new 
key generation block 74, In this block (which may be a 

40 software component of server 30 or a dedicated computer 
system), the access code tables for new storage devices may 
be generated and copies thereof provided to the server 30 
(e.g., for inclusion in the customer database 54) and/or the 
storage device fabrication facihty (e.g., for inclusion within 

45 the new storage devices). Matching of storage device serial 
number (or other identifying criteria) and access code table 
is important otherwise it may not be possible to gain entry 
to a storage device. 

FIG. 6 now illustrates an example of an access code 

50 controller 80 for a locking device 28, portions of which may 
be housed in the electronics bay 22 of storage device 10 
described above. A central component of the access code 
controller 80 is a micro-controller/computer 82. In some 
embodiments, this micro-controller/computer may be a 

55 general-purpose microprocessor with associated volatile and 
non-volatile memory. The non-volatile memory may be 
programmed with an operating system and various subrou- 
tines for the microprocessor to provide the needed function- 
ality and may also store the access code table for the locking 

60 device where such a table is used. An interface unit 84 may 
be provided for intercommunication with server 30 (where 
the storage device operates in other than a stand-alone 
mode) and this interface unit may allow for communication 
via the Internet, the PSTN and/or an RF or other network. 

65 'lliis interface unit may also be configured to accept access 
codes from an owner-operated remote control as described 
above. 
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The micro-controller/computer 82 is configured to accept present service provider as a way of attracting new custom- 
inputs (e.g., access codes) from the access code entry unit ers. The present service provider benefits by experiencing an 

16. As indicated above, these codes may be provided in a increase in the number of access codes issued (presumably 
variety of formats, such as keystrokes from a keypad, at a fee) for an increasing number of deployed storage 
magnetic stripe reader and/or bar code scanner. Other access 5 devices. 

code entry devices may also be used. Upon entry of an Although the foregoing description and accompanying 

access code, the micro-con troller/compuier may be pro- figures discuss and illustrate specific embodiments, it should 

grammed to compare the entered code with the available be appreciated that the present invention has much broader 

valid codes and, upon successful comparison issue a control applicability. For example, the locking device may be used 

signal to an actuator 86 to unlock the storage device. If the with doors, gates (e.g., providing access to gated 

entered code does not match a valid code, a failure message communities, condominium developments, apartment 

may be displayed on a display device 88 (e.g., a hquid complexes, etc.) and other security systems. Such broader 

crystal or other display, which, in some cases, may be part applications are all within the scope of the present invention, 

of the access code entry unit 16). Where several failed In addition, the storage device described above may be 

attempts (e.g., 3) to gain access to the storage device occur adapted for use as a secure mailbox by providing a mail 

in succession, the micro -controller/computer may be pro- delivery slot through a side or top of the storage device 

grammed to reject any further attempt to open the storage (similar to such deUvery slots as may be found on the door 

device until the owner enters a special reset or other code. of a house or building). Indeed, the storage device could be 

In such cases, the micro-controller/computer may also be adapted to receive mail into the secure box within a box, so 

configured to report such attempted access to the server 30 that delivery personal would not have access to the mail so 

for further investigation. Other deterrence mechanisms delivered. Of course a conventional (or secure) mailbox 

include prolonging the lock-out period between repeated could simply be attached to the exterior of another storage 

access attempts. device. 

A power supply 90 (e.g., a battery or some other power Still other variations of the above -described scheme are 

supply) is provided to power the electronic elements of ^5 possible. For example, the access codes themselves could be 

access controller 80. As discussed above, means can be the tracking numbers (or other identifying criteria) assigned 

provided for alternate power supphes in the event of a power by the delivery service or merchant. Consider, for example, 

failure. a situation where a storage device owner purchases certain 

Storage device 10 and the one-time access-code scheme goods form an on-line store and requests delivery. When the 

described above provide for some interesting business 30 on-hne merchant arranges for delivery of the goods, for 

opportunities for the provider, operating server 30 example through a commercial delivery service, a tracking 

(hereinafter referred to as the "service provider"). For number for the package(s) is usually assigned. Either the 

example, unlike the scheme described in U.S. Pat. No. merchant or the delivery service may than notify the server 

5,774,053, the present service provider is and remains part 30 of this tracking number and the server 30 may commu- 

of the chain of commerce in every pick up and/or dehvery 35 nicate (e.g., via the internet or through a wireless and/or 

from/to a storage box 10. This is an opportunity to realize wired fink) with the access code controller 80 to inform the 

revenue from the distribution of access codes, rather than controller 80 that such tracking number is a valid access 

merely from the distribution of storage devices. Because one code. The controller 80 may store the tracking number in 

can expect to distribute may more access codes than storage memory for later recall/comparison. Note, the storage device 

devices, it follows that the potential overall revenue to be 40 10 may even be fitted with a bar code reader/scanner to 

realized from the present business model is greater than that allow a delivery person to scan in the tracking number from 

which may be realized simply from distributing storage a bar code applied to the package being delivered, thus 

devices. avoiding the need to manually enter the tracking number/ 

In addition, the service provider has the opportunity to act access code, 

as a virtual escrow agent. Because the service provider can 45 Communication between the server 30 and the controller 

track the delivery of goods to the storage device (e.g., 80 may be accomplished in any of the above-described 

through the reporting back of the use of an access code in the fashions or as follows. As shown in FIG. 7, one embodiment 

fashion described above), the service provider can withhold of the present invention provides an external/remote access 

payments to a merchant or other third party until such code control unit 90 and an inner/local interface unit 92, 

delivery can be confirmed. This is especially attractive in the 50 which communicate with one another via a wireless (or in 

areaof Internet-based auction transactions, where both seller some cases a wired) communication link 94. The remote 

and buyer arc reluctant to be the first to transmit goods or access code control unit 90 may be located some distance 

money as the case may be. By arranging for payment and away from the local interface unit 92 and/or may be on the 

delivery through the service provider (e.g., following the opposite side of one or more obstructions (e.g., a wall) 

conclusion of an auction), each party is assured that funds 55 therefrom. In one case, the remote access code control unit 

will be transmitted upon delivery and not before (although 90 may be co-located with a storage device outside a home, 

the service provider cannot assure any quality of the goods while the local interface unit 92 is located inside the home 

so delivered), (e.g., near a telephone jack or connected to a personal 

Because the use of the storage device provides security, computer or other appliance having an Internet connection), 

delivery services need not schedule deliveries around a 60 In operation, messages to be passed between server 30 

customer *s physical presence. Indeed, modified storage and remote access code control unit 90 may be relayed 

devices that are configured to provide refrigerated or heated through local interface unit 92. For example, interface unit 

compartments may be used so that perishables and other 92 may communicate with server 30 through a conventional 

temperature-sensitive items may be delivered at any time Internet/PSTN connection (e.g., using a modem unit, etc) 

into the storage box. lliis added convenience for the deliv- 65 and with remote access code control unit 90 through wire- 

ery service providers might be an incentive for such busi- less (e.g., RF or IR) connection. Messages from remote 

nesses to offer similar payment mechanisms through the access code control unit 90 may be downconverted. 
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decoded, iraoslated and/or packetized (e.g., according to What is claimed is: 

conventional TCP/IP or other communication protocols) for 1. A method comprising: 

transmission to server 30. Likewise, messages from server . . ^ . , , 

30 may be depacketized, decoded, translated and/or upcon- recexvmg at a server and via the Internet a request for an 

verted for transmission to remote access code control unit 90 5 access code for a locking mechanism; and 

across communication link 94. Such a mechanism allows for issuing from the server a one-time use access code for the 

the exchange of many different types of messages between locking mechanism, wherein the one-lime use access 

the server 30 and the remote access code control unit 90, ^ ^^^^^ ^ currently available access 

such as access codes, instructions to change window sizes ^^^^ mechanism. 

delivery/acceptance notifications, pick-up requests, payment _ *u-ifi- iu - .u 

authorization messages, etc. 2. The method of claim 1 wherem the one-time use access 

In some cases, the local interfaces unit 92 may be c«n: ^^^^^^ i^"^^*.^ ^^«P°°^ ^ ^^^^^^^ ^^"^^^^ fr^'" ^ 

figured with a notification unit to alert users that packages/ merchant or delivery service. 

goods have been delivered and/or picked up from a storage 3. The method of claun 1 further comprising updating the 

device associated with the remote access code control unit list of available access codes in response to an indication that 

90. For example, such a notification unit may be a conven- a code has been issued or used. 

tional liquid crystal display, one or more light emitting 4. The method of claim 1 further comprising updating the 

diodes, and/or other indicators that signal the pick-up/ listof available access codes in response to an indication that 

delivery of items. The interface unit 92 may also be ^ ^^^^ expired 

equipped with a keyboard or other man-machine interface to 5 ^^^^^^ ^^^-^ ^ ^^^^^-^ ^^^^^^^j 

allow for user communication with server 30, lor example to 20 . ; * r j r .u 

...... ^ 1 ui f 1 ♦ ♦/ ♦ available access codes is a subset of access codes for the 

mdicate that items are available for pick-up or to request/set ... . . 

access codes etc. ^ locking mechanism. 

„ , . * . , . £ *- c 6. The method of claim 5 wherein the access codes for the 

Returning now to FIG. 6, in some connguranons or access , . . . . ^ „ 

code entry unit 80, the access code entry unit 16 may include 1°^*^"^ mechanism are generated usmg a cryptographically 

means for accepting a biometric identification. Thus, finger/ 25 ^^''^"S random number generator. 

thumb print recognition units, retina recognition units, sig- "^^^^od of claim 1 wherein the one-time use access 
nature capture mechanisms (e.g., as are commonly used at ^^^^ e'fpires after a predetermined time period if not earlier 
point-of-sale terminals), and/or other means may be used to access the locking mechanism, 
employed as access devices for the unit. In this way, users **• The method of claim 1 further comprising opening the 
need not necessarily have to remember personal identifica- 30 locking mechanism using the one-time access code, 
tion numbers (PINs) and/or use other remote access devices. 9. A computer-based service configured to dispense one- 
Further, the access code entry unit 16 and/or controller 80 time use access codes for remotely located locking devices 
may be configured to accept special access codes to allow m response to requests therefor wherein transaction fees are 
users to change their PIN, reset a window size and/or switch assessed for each access code dispensed, 
access code tables, and perform other customization/ 35 1®- The service of claim 9 wherein the access codes are 
maintenance routines. Once such customization routine may dispensed from a server accessible through at least one of the 
be used to designate certain buttons of the access code entry Internet, a wireless network or the public switched telephone 
unit 16 as specific function keys. For example, one or more network. 

keys may be designated to transmit messages to specific U. llie service of claim 9 wherein each access code so 

vendors/couriers (e.g., via e-mail or other messages through 40 dispensed expires upon the earlier occurrence of (i) its use 

server 30), indicating that packages, etc. are ready for access an associated one of the storage devices, or (ii) a 

pick-up, predetermined time period. 

As mentioned briefly above, one of the advantages pro- 12. A locking mechanism, comprising: 

vided by the present invention concerns confirmation of an actuator configured to unlock in response to entry of an 

delivery. Upon access by the delivery person, the controller 45 authorized access code; and 

80 can be programmed to transmit a message to server 30 an access code entry unit configured to accept a one-time 

(e.g., using one of the above -described communication use access code issued by a remote server, wherein the 

channels) that includes the access code used by the delivery one-time use access code comprises a package tracking 

person. Server 30 can compare this access code to those number. 

previously issued and (in addition to updating any code 50 13. The locking mechanism of claim 12 wherein the 

windows, etc.) can then relay a message (e.g., via e-mail, one-time use access code comprises a number generated by 

pager, facsimile or other means) to the storage device owner a cryptographically strong random number generator, 

that not only indicates that a delivery has been made, but 14. The locking mechanism of claim 12 wherein the 

who/which organization made the delivery. In addition, one-time use access code is transmitted to the locking 

upon user access to the storage device, similar notice can be 55 mechanism fi-om the server. 

given to server 30 and server 30 can, in turn, send confir- 15. The locking mechanism of claim 12 wherein the 

mation of receipt messages to any vendors/delivery services one-time use access code is stored in a memory associated 

that had deposited packages in the storage device. This may with the locking mechanism. 

be especially useful where the delivery service requires or 16. The locking mechanism of claim 12 further compris- 

relies upon a customer "signature" and the confirmation of 60 ing an interface unit configured to communicate with the 

receipt message can be used as a virtual signature or can server. 

even include a digital representation ofthe customer's actual 17. The locking mechanism of claim 16 wherein the 

signature for record keeping purposes. interface unit is configured to communicate with the server 

Given the breadth of applications and variations for the through a second interface unit, 

above-described schemes then, the present invention should 65 18. ITie locking mechanism of claim 12 wherein the 

not be limited by the above-described examples but rather actuator includes a microcontroller coupled to receive inputs 

only measured in terms of the claims, which follows. from the access code entry unit. 
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19. A method, comprising: 

receiving, via the Internet at a computer-based unit, a code 
to be used as an access code for a locking device; and 
transmitting the access code to the locking device. 

20. The method of claim 19 wherein the transmitting is 
done via the Internet. 

21. The method of claim 19 wherein the code comprises 
a package tracking number. 

22. The method of claim 19 wherein the code is provided 
by a delivery service or merchant. 

23. The method of claim 19 wherein the code is provided 
by an owner of the locking device. 

24. The method of claim 19 wherein the access code 
expires after it is used. 

25. A method, comprising: 

receiving at a computer-based unit a request for an access 
code for a locking mechanism; and 

issuing from the computer-based unit, and according to a 
list of currently available access codes for the locking 
mechanism that is a subset of access codes for the 
locking mechanism, a one-time use access code for the 
locking mechanism, wherein the access codes for the 
locking mechanism are generated using a cryptographi- 
cally strong random number generator. 

26. llie method of claim 25 wherein the one-lime use 
access code is issued in response to a request received from 
a merchant or delivery service. 

27. The method of claim 25 further comprising updating 
the list of available access codes in response to an indication 
that a code has been issued or used. 

28. The method of claim 25 further comprising updating 
the list of available access codes in response to an indication 
that a code has expired. 

29. The method of claim 25 wherein the one-time use 
access code expires after a predetermined time period if not 
earlier used to access the locking mechanism. 

30. The method of claim 25 further comprising opening 
the locking mechanism using the one-time access code. 
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31. A method, comprising: 

receiving at a computer-based unit, a code to be used as 
an access code for a locking device; and 

transmitting the access code to the locking device, 
^ wherein the access code comprises a package tracking 
number. 

32. The method of claim 31 wherein the transmitting is 
done via the Internet. 

33. The method of claim 31 wherein the code is provided 
by a delivery service or merchant. 

34. The method of claim 31 wherein the code is provided 
by an owner of the locking device. 

35. 'llie method of claim 31 wherein the access code 
expires after it is used. 

36. A locking mechanism, comprising: 

an actuator configured to unlock in response to entry of an 
authorized access code; and 

an access code entry unit configured to accept a one-time 
20 use access-code issued by a remote server, wherein the 
one-time use access code comprises a number gener- 
ated by a cryptographically strong random number 
generator. 

37. The locking mechanism of claim 36 wherein the 
25 one-time use access code is transmitted to the locking 

mechanism from the server. 

38. The locking mechanism of claim 36 wherein the 
one-time use access code is stored in a memory associated 
with the locking mechanism. 

30 39. The locking mechanism of claim 36 further compris- 
ing an interface unit configured to communicate with the 
server. 

40. The locking mechanism of claim 36 wherein the 
interface unit is configured to communicate with the server 

35 through a second interface unit. 

41. The locking mechanism of claim 36 wherein actuator 
includes a microcontroller coupled to receive inputs from 
the access code entry unit. 

* * * 9|e * 
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